Impossible to Boot due to CVE-2023-24932

[JM2K69]

With a Pc with the pacth the PC won't boot with secure boot

CVE : CVE-2023-24932 Microsoft Patch I think the wimboot must to be signed with the new Microsoft certificate

[eccoes]

We have the same issue after the patch and the change made to Secure Boot UEFI Forbidden List.

[NiKiZe]

Could any of you clarify what happens here? Does wimboot fail to boot on updated firmware? Or does wimboot fail to boot the updated bootmgr?

It would be great with an explanation of what actually happens. The current description is quite close to "don't work" which isn't really helpful.

Thanks!

[eccoes]

Yes, wimboot fails to boot on updated firmware. I'm not really sure which step that's is failing. In our case we don't get to the step where we can select a task sequence to start download the updated boot image, the machine just goes on and booting Windows after this step.

[JM2K69]

Yes I have the same problem I think wee need to have an other bootfile signes with the new certificate because Microsoft revoke thé précédent. I think that.

[NiKiZe]

Yes, wimboot fails to boot on updated firmware. I'm not really sure which step that's is failing. In our case we don't get to the step where we can select a task sequence to start download the updated boot image, the machine just goes on and booting Windows after this step.

iPXE, nor wimboot has any task sequence. That is inside winpe, but depends on your setup. What we see on the image is iPXE waiting at the prompt, not using wimboot at all. Is there anything that shows an actual error?

[JM2K69]

In my case I use a wimboot to connect to MDT share

[NiKiZe]

Sure but, if the problem is with wimboot, then you will either get an error when starting wimboot itself, or when wimboot starts the windows bootmgr.

Does the same boot work on some hardware, but not on other? Or does it always fail? If it always fails, exactly which version of Windows is in your boot.wim? And how do anyone recreate such boot.wim?

[JM2K69]

It fail when the firmware was update on a New VM without thé update it works fine but when thé firmware was update not

[eccoes]

In my case all other machines are working, regardless of whether I use an updated boot image or not. Only the one where the Secure Boot UEFI Forbidden List is changed fails to boot. (Windows 11 22H2)

We are using iPXE Anywhere from 2Pint Software so I have contacted them for a solution also. With iPXE/2PXE we are having a GUI to select task sequences, but after the change to secure boot that machine are unable to boot to the GUI.

Since I don't have a lot of knowledge how iPXE/wimboot works, I don't know what else I can do to troubleshoot this issue, but I can ensure it's because of KB5025885/CVE-2023-24932.

The only error message I got is the one below. Secure boot is of because with Secure boot activated I cannot go into debug mode

[JM2K69]

I'm only use ipxe

[Hammarskjold]

@eccoes it seems as the version of iPXE has a signature that is new enough to load iPXE. But then we have an older signature on the wimboot file. So @mcb30 either it is this:

1. The wimboot signature needs to be updated (resign). This would be an easy fix.
2. The internals of the updated files used to boot WinPE via wimboot is changed and the wimboot process does not work, this will be bad.

I don't have access to system to test as I am sitting in a mosquito infested southern France.

[mcb30]

Please retry with the latest signed wimboot v2.7.6 (signed and released just now).

[mcb30]

Please retry with the latest signed wimboot v2.7.6 (signed and released just now).

Assuming that this is now fixed for you: please comment if not.